'\" t
.\"     Title: IPSEC_SPIGRP
.\"    Author: [FIXME: author] [see http://docbook.sf.net/el/author]
.\" Generator: DocBook XSL Stylesheets v1.75.2 <http://docbook.sf.net/>
.\"      Date: 10/06/2010
.\"    Manual: [FIXME: manual]
.\"    Source: [FIXME: source]
.\"  Language: English
.\"
.TH "IPSEC_SPIGRP" "5" "10/06/2010" "[FIXME: source]" "[FIXME: manual]"
.\" -----------------------------------------------------------------
.\" * set default formatting
.\" -----------------------------------------------------------------
.\" disable hyphenation
.nh
.\" disable justification (adjust text to left margin only)
.ad l
.\" -----------------------------------------------------------------
.\" * MAIN CONTENT STARTS HERE *
.\" -----------------------------------------------------------------
.SH "NAME"
ipsec_spigrp \- list IPSEC Security Association groupings
.SH "SYNOPSIS"
.HP \w'\fBipsec\fR\ 'u
\fBipsec\fR \fIspigrp\fR
.br
\fIcat/proc/net/ipsec_spigrp\fR
.br

.SH "OBSOLETE"
.PP
Note that spigrp is only supported on the classic KLIPS stack\&. It is not supported on any other stack and will be completely removed in future versions\&. A replacement command still needs to be designed
.SH "DESCRIPTION"
.PP
/proc/net/ipsec_spigrp
is a read\-only file that lists groups of IPSEC Security Associations (SAs)\&.
.PP
An entry in the IPSEC extended routing table can only point (via an SAID) to one SA\&. If more than one transform must be applied to a given type of packet, this can be accomplished by setting up several SAs with the same destination address but potentially different SPIs and protocols, and grouping them with
\fIipsec_spigrp(8)\fR\&.
.PP
The SA groups are listed, one line per connection/group, as a sequence of SAs to be applied (or that should have been applied, in the case of an incoming packet) from inside to outside the packet\&. An SA is identified by its SAID, which consists of protocol ("ah", "esp", "comp" or "tun"), SPI (with \'\&.\' for IPv4 or \':\' for IPv6 prefixed hexadecimal number ) and destination address (IPv4 dotted quad or IPv6 coloned hex) prefixed by \'@\', in the format <proto><af><spi>@<dest>\&.
.SH "EXAMPLES"
.PP
\fBtun\&.3d0@192\&.168\&.2\&.110\fR
.RS 4
\fBcomp\&.3d0@192\&.168\&.2\&.110\fR
\fBesp\&.187a101b@192\&.168\&.2\&.110\fR
\fBah\&.187a101a@192\&.168\&.2\&.110\fR
.RE
.PP
is a group of 3 SAs, destined for
192\&.168\&.2\&.110
with an IPv4\-in\-IPv4 tunnel SA applied first with an SPI of
\fB3d0\fR
in hexadecimal, followed by a Deflate compression header to compress the packet with CPI of
\fB3d0\fR
in hexadecimal, followed by an Encapsulating Security Payload header to encrypt the packet with SPI
\fB187a101b\fR
in hexadecimal, followed by an Authentication Header to authenticate the packet with SPI
\fB187a101a\fR
in hexadecimal, applied from inside to outside the packet\&. This could be an incoming or outgoing group, depending on the address of the local machine\&.
.PP
\fBtun:3d0@3049:1::2\fR
.RS 4
\fBcomp:3d0@3049:1::2\fR
\fBesp:187a101b@3049:1::2\fR
\fBah:187a101a@3049:1::2\fR
.RE
.PP
is a group of 3 SAs, destined for
\fB3049:1::2\fR
with an IPv6\-in\-IPv6 tunnel SA applied first with an SPI of
\fB3d0\fR
in hexadecimal, followed by a Deflate compression header to compress the packet with CPI of
\fB3d0\fR
in hexadecimal, followed by an Encapsulating Security Payload header to encrypt the packet with SPI
\fB187a101b\fR
in hexadecimal, followed by an Authentication Header to authenticate the packet with SPI
\fB187a101a\fR
in hexadecimal, applied from inside to outside the packet\&. This could be an incoming or outgoing group, depending on the address of the local machine\&.
.SH "FILES"
.PP
/proc/net/ipsec_spigrp, /usr/local/bin/ipsec
.SH "SEE ALSO"
.PP
ipsec(8), ipsec_manual(8), ipsec_tncfg(5), ipsec_eroute(5), ipsec_spi(5), ipsec_klipsdebug(5), ipsec_spigrp(8), ipsec_version(5), ipsec_pf_key(5)
.SH "HISTORY"
.PP
Written for the Linux FreeS/WAN project <\m[blue]\fBhttp://www\&.freeswan\&.org/\fR\m[]> by Richard Guy Briggs\&.
.SH "BUGS"
.PP
:\-)
